All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If your lookup only contains hostname, ip address and location, how will you find any events where MESSAGE_TEXT="Radius"?
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "ra... See more...
I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius". |inputlookup filename | search (MESSAGE_TEXT="Radius")
Hi there, Please contact your Splunk sales account team for this, they are able to help you. cheers, MuS
Reply:   Can we enforce the data to be rolled from the Hot/warm to Cold after one month then from Cold to frozen after one month.
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolume... See more...
Hello Splunker,   I have two volumes with the following specs: Hot/Warm Volume: 5.25 TB Cold Volume: 4.75 TB ================================ [volume:hot] path = /opt/splunk-hwdata maxVolumeDataSizeMB = 7602176 [volume:cold] path = /opt/splunk-Colddata maxVolumeDataSizeMB = 4980736 ================================== [Win] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume [FW] repFactor = auto homePath = volume:hot/$_index_name/db coldPath = volume:cold/$_index_name/colddb thawedPath = /opt/splunk-Colddata/$_index_name/thaweddb homePath.maxDataSizeMB = 7602176 coldPath.maxDataSizeMB = 4980736 maxWarmDBCount = 720 frozenTimePeriodInSecs = 5184000 maxDataSize = auto_high_volume   ==================================== Notice we have re-configured the below: [diskUsage] minFreeSpace = 20000 Finally, we have reached the bottom of the question  .   I am doubt if this configuration can maintain the below requirements: The data retention period for the online data is 2 months. - Hot/Warm – 1 month - Cold – 1 month        
Hi there, Can you please post an example _raww event in a code block, thanks  cheers, MuS
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between differe... See more...
This isn't as convenient as I'd hoped but we ended up putting together a custom code block to build a clickable URL which can be shared.  import urllib.parse #This line won't change between different searches base_url = "[splunk URL]/en-US/app/SplunkEnterpriseSecuritySuite/search?q=" #This should be dynamically built with whatever you're searching for. my_search = "index=* | stats count by index" #This is optional, Splunk will use your default if you don't include it #Times should be epoch format time_range = f'&earliest={[start]}&latest={[end]}' #Urllib parse is required. It's the difference between "index=* | stats count by index" (human readable) and "index%3D%2A%20..." (working URL) full_url = base_url + urllib.parse.quote(my_search) + time_range  
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hop... See more...
A second layer of sed script successfully strips the excess whitespace, but it doesn't look like I can include a double quote, even encoded, without Splunk escaping it in the value.  I was really hoping to chain several OR statements into a single lookup value, but I guess that isn't possible.
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for... See more...
Hello, I'm trying to extract fields from an event, but am not up to par on my regex, and I can't seem to get this to work.  So these work in regex101, but not within the Splunk Field Extraction for some reason.  Within the event there is the following: "alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777," I need to create 3 fields from this: Host = FL-NS-VPX-INT-1 ServiceGroup = mobileapist Server = vnetapis003 When trying for Host with:  (?<="alias":")[^|]* It never finds it in Splunk.  Can't figure out why.   Extra credit:   Just kidding.  The last field I need, I can't get either with:   (?<="team","name":")[^"]* "team","name":"Monitoring_Admin"}], Here's the full event as well. INFO[2024-11-13T13:37:23.9114215-05:00] Message body: {"actionType":"custom","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","ownerDomain":"integration","ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","discardScriptResponse":true,"sendCallbackToStreamHub":false,"requestId":"18dcdb1b-14d6-4b10-ad62-3f73acaaef2a","action":"Close","productSource":"Opsgenie","customerDomain":"siteone","integrationName":"Opsgenie Edge Connector","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","customerTransitioningOrConsolidated":false,"source":{"name":"","type":"system"},"type":"oec","receivedAt":1731523037863,"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","params":{"type":"oec","alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","integrationId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf","integrationName":"Opsgenie Edge Connector","integrationType":"OEC","customerDomain":"siteone","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","receivedAt":1731523037863,"customerConsolidated":false,"customerTransitioningOrConsolidated":false,"productSource":"Opsgenie","source":{"name":"","type":"system"},"alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"ownerId":"8b500163-8476-4b0e-9ef7-2cfdaa272adf"},"integrationType":"OEC","alert":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"},"customerConsolidated":false,"customerId":"3a1f4387-b87b-4a3a-a568-cc372a86d8e4","action":"Close","mappedActionDto":{"mappedAction":"postActionToOEC","extraField":""},"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","alertAlias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","alertDetails":{"Raw":"","Results Link":"https://hostname:8000/app/search/search?q=%7Cloadjob%20scheduler__td26605__search__RMD5e461b39d4ff19795_at_1731522600_38116%20%7C%20head%204%20%7C%20tail%201&earliest=0&latest=now","SuppressClosed":"True","TeamsDescription":"True"},"entity":{"alertId":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","id":"913a3db5-7e2a-44f4-a4ff-3002af480c8d-1731522737697","type":"alert","message":"[Splunk] Load Balancer Member Status","tags":[],"tinyId":"14585","entity":"","alias":"FL-NS-VPX-INT-1|mobileapist?vnetapis003?8777,","createdAt":1731522737697,"updatedAt":1731523038582000000,"username":"System","responders":[{"id":"f8c9079d-c7bb-4e58-ac83-359cb217a3b5","type":"team","name":"Monitoring_Admin"}],"teams":["f8c9079d-c7bb-4e58-ac83-359cb217a3b5"],"actions":[],"priority":"P3","oldPriority":"P3","source":"Splunk"}} messageId=7546739e-2bab-414d-94b5-b0f205208932   Thank you for all the help on this one, Thanks, Tom    
This is in request to add the steps for adding Splunk Enterprise Security to my enterprise account, Thanks.  
Yes, you probably can get a Splunk Cloud stack (more than just a license), but it most likely will not be free beyond the initial (7 days) trial period.
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" fr... See more...
Currently running Splunk 9.3.0. IT Essentials Work 4.18.1. VMware Dashboards and Reports content pack 1.2.0 All dashboards in the VMware Dashboards and Reports app where there is a "Quick Search" free text option, is not working. It used to provide as list as you typed of matching hosts/VMs depending on the dashboard. Now I can't get it to do anything.  Can anyone provide what the data source is for this input? I think I am probably missing a lookup file but cannot find which one.  For example, this shows the radio button that gets you to the text input. The radio button works but the text input does nothing.   
Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run t... See more...
Ok I understand more where you were coming from now.  Unfortunately this method won't work for my situation.  I am using a dropdown that displays the actual name of the customer site we want to run this report for and that list is 100+ names.  I also needs this list to be dynamic so when new customers are onboarded, they automatically appear in the list.  Now the names correspond to a "propertyId" which is what I have to send to the query to use on the data itself.  (Pairing of the names and propertyId's are brought in from an external source and not Splunk event data.)  The people I am designing this dashboard for will not have knowledge of what version that site has so they won't know whether to choose a > or < option.  That's why I want to set up in the background for the dashboard to choose which query to run based on the name chosen from the dropdown box.   I've started looking at some examples of using "choice value=" and pair that with <change> and <condition label=..> but that appears to either force me to create a value= for every since customer name or only have the choice of < versions and >versions.  I'm beginning to think that what I am trying to accomplish cannot be done or at least not done in a dynamic way so that new customers are automatically added.  But I will continue my online research and hopefully there will be an example out there that will spark an idea of another way to accomplish this.   Even though I am not yet successful, I do appreciate your response and attempt to help me out!
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (... See more...
Recall that subsearches run first and replace themselves with their results.  That means the search is looking only for Msg field (which may not exist in the index) values of 30 characters or fewer (longer values are missed without a wildcard). Perhaps you only need to truncate the Message for display purposes.  If so, drop the subsearch and run the eval as a separate command.
I agree.  The combination of stats max(uptime) and where Uptime=0 should show only hosts with zero up time. Is there something pertinent that is not being shared?
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  ... See more...
index=replicate category=* action=* Message=* [search index=replicate | eval Msg=substr(Message,1,30)] | stats count by action category Msg | dedup action   This is what I'm trying to do.  The Message field is very large and I only need the first sentence of the Message.  How can I do this?  We want it in a sub-search to show the sub-search function for our users. This is Splunk Cloud implementation.
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) ... See more...
I did an inputlookup to get my field (uploads) and used this piece of search I found on another post: | fields uploads | rex field=uploads mode=sed "s/(\d+)/%\1/g" | eval decode=urldecode(uploads) I think I'm very close, but my decoded string has a space between every character looking something like this: \ \ \ \ * \ \ b r a n c h \ \ s y s t e m \ \ t y p e 1 \ \ *  
There doesn't appear (from what you have shared) to be anything that you are doing wrong
| bin span=3h _time | stats max(uptime) AS Uptime BY _time, component_hostname | where Uptime=0
Please share your full search which is not working for you